Let's Encrypt 45-Day Certificates: What Enterprise Teams Need to Know

July 1, 2026
8 mins read

Introduction#

The SSL certificate landscape is about to undergo its most significant change in years. Let's Encrypt, the world's largest certificate authority, is moving from 90-day to 45-day certificate lifetimes. For enterprise teams managing hundreds or thousands of domains, this isn't a minor adjustment — it's a fundamental shift in how SSL certificate management must operate.

If your team still handles SSL renewals manually, you're about to feel the pressure. What was four renewal cycles per year becomes eight. What was a manageable quarterly task becomes a perpetual operational burden. The timeline is already in motion, and infrastructure teams that prepare now will navigate the transition smoothly. Those that don't will face increased outage risk and mounting operational overhead.

This article breaks down the announcement, the reasoning behind it, what the transition timeline looks like, and what enterprise teams should do to prepare.

The Announcement: Let's Encrypt Moving from 90-Day to 45-Day Certificate Lifetimes#

Let's Encrypt announced in mid-2026 their intention to reduce maximum certificate lifetimes from 90 days to 45 days. The change affects all new certificates issued after the transition date. Existing certificates will continue to be honored until their natural expiration, but renewals will be subject to the new 45-day lifetime.

This isn't a sudden decision. Let's Encrypt has been progressively shortening certificate lifetimes since its launch. They started at 90 days when most commercial CAs offered one-year certificates. The move to 45 days continues a trend toward shorter-lived certificates that the entire industry has been moving toward.

The practical impact is straightforward: every domain secured by Let's Encrypt will need certificate renewal twice as often. For organizations that have already automated their renewal process, the transition may be seamless. For teams relying on manual processes or semi-automated workflows, the operational impact will be significant.

Why It's Happening: Security Best Practice — Limiting the Window of Compromise#

Shorter certificate lifetimes are fundamentally a security improvement. Every TLS certificate represents a potential attack vector. If a certificate's private key is compromised, an attacker can impersonate the legitimate domain until the certificate expires or is revoked. The longer the certificate lifetime, the longer that window of compromise remains open.

Forty-five-day certificates shrink that window by half compared to the current 90-day standard. If a key is compromised on day one, the maximum exposure is 45 days instead of 90. In practice, the exposure is typically shorter, but the ceiling matters — especially for organizations that may not detect a compromise immediately.

There's also a revocation argument. Certificate revocation through CRLs and OCSP has historically been unreliable. Browsers don't always check revocation status consistently, and revoked certificates sometimes continue to be trusted. Shorter lifetimes reduce reliance on revocation infrastructure. If a certificate only lives 45 days, revoking it becomes less critical — it expires soon anyway.

The security community has long advocated for shorter certificate lifetimes. Let's Encrypt's move operationalizes what security researchers have been recommending for years.

Google's Parallel CA/Browser Forum Proposal — This Isn't Just Let's Encrypt#

Let's Encrypt isn't acting alone. Google has been advancing a parallel proposal through the CA/Browser Forum to reduce maximum certificate lifetimes industry-wide to 45 days. This would affect all certificate authorities, not just Let's Encrypt — including commercial CAs like DigiCert, Sectigo, and GlobalSign.

The CA/B Forum proposal is still in discussion, but Google's involvement signals that 45-day lifetimes are likely to become an industry standard, not just a Let's Encrypt policy. When the largest browser vendor and the largest certificate authority align on a security policy, adoption tends to follow.

For enterprise teams, this means the 45-day certificate era isn't a Let's Encrypt-specific concern. If you're using commercial certificates with one-year lifetimes today, you should expect those lifetimes to shrink too. The entire SSL certificate ecosystem is moving toward short-lived certificates, and the transition is already underway.

Timeline: When the Change Happens and What the Transition Period Looks Like#

Let's Encrypt has signaled a phased rollout. The exact dates are still being finalized, but the expected timeline follows a pattern similar to their previous lifetime reductions:

**Announcement phase (current):** Public communication, documentation updates, and tooling preparation. Client software like Certbot and ACME libraries receive updates to handle the new lifetimes.

**Staged rollout:** The 45-day lifetime applies first to a subset of new certificate issuances, allowing Let's Encrypt to monitor for issues and gather data on renewal patterns.

**Full enforcement:** All new certificates issued by Let's Encrypt carry the 45-day maximum lifetime. Existing 90-day certificates continue until their natural expiration.

For enterprise teams, the practical deadline is when your current automation reaches its renewal cycle post-transition. If your certificates renew every 60 days today, you have roughly one renewal cycle after the policy changes before you're issuing 45-day certificates.

Start Making 5x Faster Redirects with RedirHub

Get redirects in under 100 ms – with automatic HTTPS, analytics, and zero configuration.

Get Started Free

What 45 Days Actually Means: 8 Renewal Cycles Per Year vs Current 4#

The math is simple but the operational impact is not. Moving from 90-day to 45-day certificates means:

**Renewal frequency doubles.** Instead of four renewal cycles per year per domain, you're handling eight. For a team managing 100 domains, that's 800 renewal events annually instead of 400. For teams managing thousands of domains, the numbers become unmanageable without full automation.

**Renewal windows shrink.** With 90-day certificates, most automated renewal systems begin attempting renewal 30 days before expiration — leaving a comfortable 30-day buffer. With 45-day certificates, that same 30-day lead time leaves only 15 days of buffer. Renewal logic needs to be more aggressive and more reliable.

**Failure tolerance decreases.** With 90-day certificates, a renewal failure gives you weeks to investigate and resolve before expiration. With 45-day certificates, you have days. Every renewal failure is more urgent, and your monitoring needs to be more responsive.

**Rate limiting becomes a concern.** Let's Encrypt enforces rate limits on certificate issuance. Doubling renewal frequency means you're consuming twice the rate limit budget. Teams near their limits on 90-day certificates may hit them on 45-day certificates and need to adjust their issuance patterns.

The bottom line: manual or semi-automated renewal processes that barely worked at 90 days will fail at 45 days. Full automation is no longer optional.

Who This Affects Most: Teams Managing 100+ Domains with Manual SSL Processes#

The 45-day certificate era doesn't affect everyone equally. Here's who feels the biggest impact:

**Domain investors and portfolio managers.** Teams managing hundreds or thousands of parked, redirected, or monetized domains face the largest operational burden. Each domain needs its own certificate. Manual renewal at this scale was already painful at 90 days. At 45 days, it's not feasible.

**Agencies managing client domains.** Digital agencies often manage SSL for dozens or hundreds of client domains. Each client may use different infrastructure, different renewal processes, and different levels of automation. The 45-day timeline amplifies every inconsistency in their renewal workflows.

**E-commerce platforms with multiple storefronts.** Multi-brand e-commerce operations run separate domains for each brand, each region, and each campaign. The certificate count multiplies quickly, and so does the renewal burden.

**SaaS platforms with custom domains.** SaaS products that allow customers to bring their own domains typically handle SSL provisioning as part of onboarding. With 45-day certificates, the renewal infrastructure needs to be bulletproof — a renewal failure for a customer's domain means their site shows a security warning.

Teams with fully automated ACME-based renewal may not feel the change at all. The certificate lifetime is abstracted away by infrastructure that renews automatically. The dividing line is automation — if your renewal process involves a human checking a dashboard or running a script, you're on the wrong side of it.

The Enterprise Readiness Gap#

Industry surveys paint a concerning picture. Despite years of Let's Encrypt availability and ACME automation maturity, a significant percentage of organizations still manage SSL renewals through manual or semi-automated processes.

Common gaps include: certificates managed through spreadsheets rather than automated monitoring, renewal scripts that require manual triggering, expiration alerts that go to unmonitored inboxes, and wildcard certificates deployed across infrastructure without centralized renewal coordination.

The readiness gap is widest in organizations that adopted Let's Encrypt early but never fully automated their renewal pipeline. They set up Certbot on a few servers five years ago, added a cron job, and haven't revisited the setup since. Those cron jobs may run every 60 days — which won't be frequent enough for 45-day certificates.

The recommendation from infrastructure teams who have already made the transition is consistent: audit your renewal processes now. Map every certificate in your infrastructure, verify that renewal is automated and monitored, and test your failure recovery procedures. The 45-day era will expose every gap in your renewal pipeline.

Conclusion#

The 45-day certificate era is coming, and it's not just a Let's Encrypt policy change — it's an industry-wide shift toward shorter certificate lifetimes driven by security best practices. For enterprise teams, the dividing line between those who feel the impact and those who don't is simple: automation.

If your SSL renewal pipeline is fully automated through ACME — if certificates renew, install, and verify without human intervention — you may not notice the change at all beyond updating a configuration parameter. If your renewal process involves any manual steps, spreadsheets, or human-triggered scripts, the 45-day timeline will expose every gap in your infrastructure.

The practical steps are straightforward: audit your certificate inventory, verify automation coverage, test renewal failure scenarios, and ensure monitoring catches expirations before users see browser warnings. The teams that do this now — before the timeline shrinks — will navigate the transition without incident.

Audit your SSL renewal process now. The 45-day era is coming — see how automated SSL management works.

Start Making 5x Faster Redirects with RedirHub

Get redirects in under 100 ms – with automatic HTTPS, analytics, and zero configuration.

Get Started Free

Frequently asked questions

Let's Encrypt has announced their intention to reduce certificate lifetimes from 90 days to 45 days, with a phased rollout expected through 2026. The exact full-enforcement date is still being finalized, but the transition has already begun. Check Let's Encrypt's community forum for the latest timeline updates.

Currently, the change applies directly to Let's Encrypt certificates. However, Google has a parallel proposal through the CA/Browser Forum to reduce maximum certificate lifetimes to 45 days across all certificate authorities. If adopted, this would affect commercial CAs like DigiCert and Sectigo as well. Enterprise teams using commercial certificates should monitor CA/B Forum developments.

Automated renewal uses the ACME protocol, which Let's Encrypt supports natively. Most organizations use ACME clients like Certbot, acme.sh, or built-in ACME support in load balancers and reverse proxies. The key is ensuring the renewal process runs automatically (typically via cron or systemd timer), handles installation without manual intervention, and includes monitoring for renewal failures.

No. Certificate lifetime does not affect security ratings from tools like SSL Labs or Mozilla Observatory. The encryption strength, key size, and protocol support are independent of certificate lifetime. Shorter lifetimes are actually viewed positively by security auditors as they limit the window of key compromise.

Yes. RedirHub automatically provisions and renews SSL certificates for all domains managed through its edge infrastructure. Certificates are provisioned via Let's Encrypt ACME integration and renewed automatically before expiration. This means domains using RedirHub for redirect management won't require any operational changes when the 45-day policy takes effect.

An expired certificate causes browsers to display a security warning — typically a full-page interstitial that users must click through to access the site. This warning erodes user trust and can cause significant traffic loss. For e-commerce and SaaS applications, certificate expiration can directly impact revenue and customer confidence.

A mid-size enterprise typically manages 100-500 domains across product brands, marketing campaigns, regional sites, and internal services. At 45-day lifetimes, that means 800-4,000 renewal events annually — compared to 400-2,000 at 90 days. The operational difference is substantial, especially for organizations with manual or semi-automated renewal processes.

Once the 45-day policy is fully enforced, all new Let's Encrypt certificates will carry a 45-day maximum lifetime. Existing 90-day certificates will be honored until their natural expiration. If you need longer-lived certificates, commercial CAs still offer one-year certificates, though the CA/B Forum may reduce those maximums in the future.

Linh Tran - Infrastructure Engineer

Linh handles the backend systems that keep RedirHub fast and reliable. Her work revolves around performance, scalability, and making sure redirects happen instantly, no matter where users are. She likes solving complex problems quietly.